third-party cyber risk management
Threatonomics

Fortifying Defenses: Effective Third-Party Risk Management in Cybersecurity

by Si West , Director, Customer Engagement
Published

As cybercriminals continue to evolve their strategies and target vulnerabilities in digital systems, businesses face an increasing need for robust third-party risk management. The first half of 2023 has been no exception, memorialized as a period marked by significant shifts in cybercriminal strategies. Notably, these evolving tactics have aimed at an often-overlooked aspect of cybersecurity–the third-party attack surface.

As headlines have been dominated by reports of high-profile cyber attacks on major organizations, one common denominator has emerged– many of these incidents were made possible by exploiting vulnerabilities residing within third-party vendors. Large organizations on average maintain 173 vendors within their supply chain, creating a massive attack surface with huge potential for security gaps. This growing threat has thrust the need for robust third-party risk management strategies to the forefront of discussion.

Comprehensive third-party risk management is crucial to safeguarding businesses and protecting sensitive data from cyber threats– a key component of Cyber Resilience.

Adapting to New Cyber Threats

The Resilience 2023 Mid-Year Cyber Claims Report reveals a strategic shift among cybercriminals toward exploiting vulnerabilities in third-party vendors. This trend has had a broader impact on organizations, leading to domino-style data breaches that devastate multiple businesses.

Insights from the Resilience 2023 Mid-Year Cyber Claims Report

Recovery Improvements: Those who experienced ransomware to the point that a payment was demanded were still technically hit. The fact that only 15% had to pay tells me that the other 75% likely had good recovery strategies in place which allowed them to forgo a ransom payment.

Shift Towards Larger Targets: The report indicates a strategic move by cybercriminals towards targeting larger organizations, a tactic known as “big-game hunting,” evidenced by increased ransom demands.

Vulnerability of Third-Party Vendors: The MOVEit attacks underscore the risks posed by third-party vendors, now identified as the leading vulnerability point in cybersecurity incidents.

Emergence of Encryption-less Extortion: A pivot towards encryption-less extortion tactics, where cybercriminals steal sensitive data and demand a ransom by threatening to release or sell the information without encrypting it, has been observed, complicating the detection and response to cyber threats.

Broad Industry Targeting: Cybercriminals have broadened their targets beyond traditional sectors, with manufacturing and education notably impacted in recent attacks.

Elevating Cybersecurity Through Strategic Third-Party Risk Management

Protecting your organization’s data, infrastructure, and other assets now requires extending security measures to include the attack-surface of each third-party vendor. Here’s how organizations can strengthen their defenses with thorough protocol development, security monitoring, and rigorous vendor assessments.

Protocol Development and Enforcement: Establishing clear, detailed protocols for your vendors to follow is critical for any effective third-party risk management program. These protocols outline security and insurance requirements and expectations for third-party vendors. Creating these protocols is just the start; the real impact comes from regularly auditing and enforcing these policies. Incorporating these standards into contracts makes compliance mandatory, improving the security compliance of the vendor network.

Comprehensive Vendor Assessment: A key element in third-party risk management is regularly performing thorough security assessments of vendors. These assessments examine the vendors’ cybersecurity framework, incident response capabilities, compliance with industry standards, and coverage. Organizations can use security frameworks, such as the NIST CSF or ISO 27001, to establish a vendor risk assessment process that uncover possible weaknesses within vendor networks. Having open discussions with vendors about assessment results and working together to address security issues is essential to sustain a solid cybersecurity posture against threats from any potential gaps within the supply chain.

Enhanced Security Controls: Proactive security measures up and down the supply chain are essential to counter dynamic threats that could trigger a sprawling incident. Implementing advanced security protocols and continuously monitoring third-parties can prevent potential threats. Tools like automated security scanning and real-time threat detection are crucial, allowing quick identification and response to vulnerabilities. Establishing procedures for immediate action when security breaches are detected strengthens an organization’s defense against cyber threats.

Integrating Risk Management into Cybersecurity Strategy

Integrating third-party risk management (TPRM) into a broader cybersecurity strategy is essential for creating a holistic defense framework that closes security gaps and understands its full value-at-risk. To integrate TPRM objectives with overall cybersecurity goals and strengthen the organization’s security posture, security leaders must actively seek out these gaps to address vendor risks.

Third-party risk governance and frameworks ensure that third-party engagements are managed under strict security standards to mitigate the damage of external entities’ data breaches and cyber threats. Organizations can maintain oversight over their vendor’s cybersecurity practices by implementing a unified strategy with each vendor. Working closely and maintaining strong relationships with your third-party enhances visibility into risks, facilitates better decision-making, and ensures a cohesive response to threats. By embedding TPRM into the cybersecurity strategy, organizations can ensure that security measures are consistently applied across all external partnerships, minimizing vulnerabilities and enhancing resilience against threats in the supply chain.

Anticipating Future Challenges 

Organizations must prioritize adaptability and agility to effectively anticipate and counter future cybersecurity challenges. This requires maintaining up-to-date knowledge of emerging trends and leveraging advanced threat intelligence.

The evolving tactics of cybercriminals in 2023 underscores the necessity of proactive strategies and continual evaluation of risk management capabilities. This involves staying abreast of industry developments, sharing intelligence internally and with trusted partners, and implementing measures to quickly address identified risks.

Embracing advanced technologies and fostering collaboration with industry peers helps organizations bolster their ability to detect and respond to emerging threats. By acquiring knowledge, utilizing advanced threat intelligence, and implementing robust cybersecurity measures, organizations can effectively anticipate and counter future challenges, strengthening their overall resilience. Strengthen your cybersecurity with our expert demo – see how our solutions protect your operations.

About the Author
Si West , Director, Customer Engagement

You might also like

Cybersecurity and insurance predictions for 2026

The cyber threat landscape is evolving at breakneck speed, and the challenges organizations will face in 2026 look dramatically different from those of even a year ago. To understand what’s coming, we gathered insights from Resilience’s leading cybersecurity and cyber insurance experts: Dr. Ann Irvine, Chief Data and Analytics Officer; Chris Wheeler, CISO; David Meese, […]

Risk-based vendor tiering that actually works

Welcome back to the Resilience third-party management series. In our first three posts, we covered why third-party vendor discovery matters, how to locate vendors across your environment, and which high-risk vendor categories most organizations overlook. Now we turn to the next step: prioritizing those vendors based on actual cyber risk—not contract spend. Most vendor management […]

The vendors you’re probably missing

While the seven data streams from our previous post will capture the majority of your vendor relationships, they’re primarily designed to find digital services and traditional procurement relationships. Today, we’re exploring the vendor categories that fall through the cracks of most discovery programs, as well as why they often represent some of your highest-risk relationships. […]

How to prepare your organization for a post-quantum world

Quantum computing is on the horizon, and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections, what we call quantum decryption, could undermine the trust, confidentiality, and resilience of digital business. This briefing series distills a highly technical topic […]

When will quantum decryption become practical?

As part of Cybersecurity Awareness Month, we’re publishing this three-part series that distills a highly technical topic into strategic insights for leaders. Part 1 explained why quantum decryption poses a threat to current encryption systems. Part 2 lays out credible timelines for when the disruption may arrive. Part 3 will offer practical guidance on how […]

What business leaders need to know about post-quantum cyber risk

Quantum computing is on the horizon and with it comes a seismic shift in how organizations must think about cybersecurity risk. The ability of future quantum machines to break today’s cryptographic protections–what we call quantum decryption–could undermine the trust, confidentiality, and resilience of digital business.                                                                                          As part of Cybersecurity Awareness Month, throughout October we are […]